tags:

views:

46

answers:

2
+2  Q: 

Using String.equals compare password and authenticate user against LDAP server, Does it make any sense?

I'm working with pretty old, big CMS (TeamSite) and it has an example how to connect it to an LDAP server. I've read the example and it work in very bizarre way. It just store a password in the "userPassword" field as expected but it does the validation manually instead of using the bind command.

This doesn't make sense to me but I can be wrong here as I haven't worked with LDAP servers before. Do you have any idea why somebody would like to manually compare the password instead of using bind?

Here is how the code looks like:

  Attribute attrPassword = attrs.get("userPassword");
  if (attrPassword.size() > 0)
  {
    String storedPassword = new String((byte[])attrPassword.get(0));

    if (password.equals(storedPassword))
    {  
      ///.....
+5  A: 

That doesn't make sense to me either. The password in the LDAP shouldn't be the actual password itself, it should be a hash of the password. If you retrieve the field and do a comparison, you need to know what kind of hash it's using and hash the password you're comparing yourself in the same way. It also requires that the userPassword attribute in the LDAP be available for retrieval, which shouldn't be necessary I don't think.

In short, no... I think you should be using bind.

ColinD  2010-10-26 16:18:57
Seconded. I'd like to add that some LDAP implementations do not allow read access to the `userPassword` but only allow you to use it in queries.
Philipp Jardas  2010-10-26 17:03:16
That would explain why I've seen the password stored in the "comment" field in another example :)
Piotr Czapla  2010-10-27 08:14:11
Regarding the plain text password. I've found somewhere in the comments that JavaScript makes SHA1 digest from the password before submitting the form.
Piotr Czapla  2010-10-27 08:21:02
+1  A: 

LDAP supports a compare on passwords, but backwards from the way your code seems to be doing it.

Generally, the client trying to compare, provides the password, the LDAP server does the compare, and returns true or false.

Your code looks like it is trying to read the password from LDAP then do the compare in its process space.

This seems unlikely to work with most any LDAP server, unless the hashing method is known and the storedPassword value is prehashed.

You might consider bind vs compare if you want (or do not want) a login event to happen. A login event can be useful to track account activity. (For PCI compliance, for example, you would want people not to be deactivated due to inactivity, which would be determined by logins).

geoffc  2010-10-26 16:25:34

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java